Sherman's Security Blog
I am Sherman Hand. (also known as Policysup) I have created this blog and will use a part of my day to write about what is going on in the world. I hope to discuss things in a down to earth and practical way. I hope to hear back from you on your thoughts. I do not in any way intend to speak for my employer. The content of this blog will be either opinions that are strictly mine, general observations,re posts, or information that is already in the public domain.

Microsoft’s August 2017 Patch Tuesday brought the first Windows 10 Linux subsystem patches, just as a new version of the Linux subsystem is released for Windows Server.

Microsoft released its August 2017 Patch Tuesday fixes, which targeted 48 vulnerabilities across various Microsoft products, including 15 critical patches and the first two fixes for the Windows subsystem for Linux.

One patch for the Windows 10 Linux subsystem remediated a denial of service flaw (CVE-2017-8627) that Microsoft only listed as “important” not critical, but this issue was publicly disclosed so experts said it should be moved up the priority scale.

Both patches were for the Windows 10 Linux subsystem, but Microsoft also just announced Insider Builds of Windows Server could begin using the Linux subsystem and it is unclear if the vulnerabilities affect Windows Server as well.

Bobby McKeown, senior manager of engineering at Rapid7, said enterprises should be careful when enabling the Windows 10 Linux subsystem.

“It is likely to increase the attack surface, given that it is going to be harder to control what applications are installed on a machine. Also, the combination of two different systems, which have access to each other’s file systems, is likely to increase possible attack vectors,” McKeown told SearchSecurity. “This is not default for normal users, however, with more and more adoption, it will become a greater target for attacks, and possible disclosure of vulnerabilities will potentially raise the profile of these types of vulnerabilities.”

Dustin Childs, communications manager for Zero Day Initiative, said Microsoft has done well to minimize potential risks associated with using the Windows 10 Linux subsystem.

“While the addition of a new, interactive shell does increase the attack surface on a Windows system, the fact that [the Windows 10 Linux subsystem] cannot run persistent Linux services, such as daemons, jobs, etc. as background tasks limits this threat,” Childs told SearchSecurity. “Any time a new feature is introduced, we know researchers take a close look at it to see if they find anything interesting. After this initial spike, it’s likely this component will receive a similar amount of attention as other, similar components.”

Other patches to prioritize

Beyond the Windows 10 Linux subsystem patches, experts roundly agreed the highest priority patch was CVE-2017-8620, a critical vulnerability in the Windows Search service which could allow an attacker to take control of the target system and “install programs; view, change, or delete data; or create new accounts with full user rights,” according to Microsoft.

Jimmy Graham, director of product management at Qualys, said this was the third time Microsoft has needed to patch the Windows Search service.

“As with the others, this vulnerability can be exploited remotely via [server message block (SMB)] to take complete control of a system, and can impact both servers and workstations,” Graham wrote in a blog post. “While an exploit against this vulnerability can leverage SMB as an attack vector, this is not a vulnerability in SMB itself, and is not related to the recent SMB vulnerabilities leveraged by EternalBlue, WannaCry, and Petya.”

Childs agreed this was the most critical bug of the month.

“As with the previous Search flaw, within an enterprise, an attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer,” Childs wrote in his analysis. “That’s pretty close to wormable and just the sort of thing malware writers look for in a bug. Also, let this be your monthly reminder to disable SMBv1.”

“This could allow for an attacker on a guest OS to escape and execute code on the underlying hypervisor,” Childs wrote. “Back at the 2017 Pwn2Own competition, a Hyper-V escape like this one would have earned the contestant $100,000 USD. Although we didn’t have anyone attempt this product this year, it’s safe to say we’ll likely get some attempts should the category return.”